def parse_Compound_File(file_to_parse):
file_object = open(file_to_parse, "rb")
olecf_file = pyolecf.file()
olecf_file.open_file_object(file_object)
SQLitedb.CreateTempTable(table_name + '_temp', table_columns)
root_item = olecf_file.get_root_item()
Base_Name = ntpath.basename(file_to_parse)
(File_Name, Extension) = ntpath.splitext(Base_Name)
if (App_Id.CheckAppId(File_Name)):
App_Id_Desc = App_Id.SelectAppId(File_Name)[0]
else:
App_Id_Desc = File_Name
for i in range(0, root_item.get_number_of_sub_items()):
jl_record = []
jl_record.append(File_Name)
jl_record.append(App_Id_Desc)
new_item = root_item.get_sub_item(i)
jl_record.append(new_item.get_name())
if new_item.get_name() == u'DestList':
continue
new_link_item = pylnk.file()
new_link_item.open_file_object(new_item)
jl_record = Create_Bind_Values(jl_record, new_link_item)
SQLitedb.InsertBindValues(table_name + '_temp', sql_ins_columns,
sql_bind, jl_record)
if (SQLitedb.TableExists(table_name)):
SQLitedb.AppendTempToPermanentTable(table_name)
else:
SQLitedb.CreatePermanentTable(table_name)
SQLitedb.DropTable(table_name + '_temp')
def ParseFileObject(self, parser_mediator, file_object):
"""Parses an OLE Compound File (OLECF) file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO): file-like object.
"""
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(parser_mediator.codepage)
try:
olecf_file.open_file_object(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionWarning(
'unable to open file with error: {0!s}'.format(exception))
return
root_item = olecf_file.root_item
if not root_item:
return
# Get a list of all items in the root item from the OLECF file.
item_names = [item.name for item in root_item.sub_items]
# Compare the list of available plugin objects.
# We will try to use every plugin against the file (except
# the default plugin) and run it. Only if none of the plugins
# works will we use the default plugin.
item_names = frozenset(item_names)
try:
for plugin in self._plugins:
if parser_mediator.abort:
break
if not plugin.REQUIRED_ITEMS.issubset(item_names):
continue
try:
plugin.UpdateChainAndProcess(parser_mediator, root_item=root_item)
except Exception as exception: # pylint: disable=broad-except
parser_mediator.ProduceExtractionWarning((
'plugin: {0:s} unable to parse OLECF file with error: '
'{1!s}').format(plugin.NAME, exception))
if self._default_plugin and not parser_mediator.abort:
try:
self._default_plugin.UpdateChainAndProcess(
parser_mediator, root_item=root_item)
except Exception as exception: # pylint: disable=broad-except
parser_mediator.ProduceExtractionWarning((
'plugin: {0:s} unable to parse OLECF file with error: '
'{1!s}').format(self._default_plugin.NAME, exception))
finally:
olecf_file.close()
def pyolecf_test_multi_open_close_file(filename, mode):
"""Tests multiple open and close."""
description = ("Testing multi open close of: {0:s} with access: {1:s}"
"\t").format(get_filename_string(filename),
get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
olecf_file = pyolecf.file()
olecf_file.open(filename, mode)
olecf_file.close()
olecf_file.open(filename, mode)
olecf_file.close()
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def test_open_close(self):
"""Tests the open and close functions."""
if not unittest.source:
return
olecf_file = pyolecf.file()
# Test open and close.
olecf_file.open(unittest.source)
olecf_file.close()
# Test open and close a second time to validate clean up on close.
olecf_file.open(unittest.source)
olecf_file.close()
file_object = open(unittest.source, "rb")
# Test open_file_object and close.
olecf_file.open_file_object(file_object)
olecf_file.close()
# Test open_file_object and close a second time to validate clean up on close.
olecf_file.open_file_object(file_object)
olecf_file.close()
# Test open_file_object and close and dereferencing file_object.
olecf_file.open_file_object(file_object)
del file_object
olecf_file.close()
def pyolecf_test_single_open_close_file_object_with_dereference(
filename, mode):
"""Tests single file-like object open and close with dereference."""
description = (
"Testing single open close of file-like object with dereference of: "
"{0:s} with access: {1:s}\t").format(
get_filename_string(filename), get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
file_object = open(filename, "rb")
olecf_file = pyolecf.file()
olecf_file.open_file_object(file_object, mode)
del file_object
olecf_file.close()
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def ParseFileObject(self, parser_mediator, file_object):
"""Parses an OLE Compound File (OLECF) file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO): file-like object.
"""
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(parser_mediator.codepage)
try:
olecf_file.open_file_object(file_object)
except (IOError, TypeError) as exception:
parser_mediator.ProduceExtractionWarning(
'unable to open file with error: {0!s}'.format(exception))
return
root_item = olecf_file.root_item
if not root_item:
return
# Get a list of all items in the root item from the OLECF file.
item_names = [item.name for item in root_item.sub_items]
# Compare the list of available plugin objects.
# We will try to use every plugin against the file (except
# the default plugin) and run it. Only if none of the plugins
# works will we use the default plugin.
item_names = frozenset(item_names)
try:
for plugin in self._plugins:
if parser_mediator.abort:
break
if not plugin.REQUIRED_ITEMS.issubset(item_names):
continue
try:
plugin.UpdateChainAndProcess(parser_mediator, root_item=root_item)
except Exception as exception: # pylint: disable=broad-except
parser_mediator.ProduceExtractionWarning((
'plugin: {0:s} unable to parse OLECF file with error: '
'{1!s}').format(plugin.NAME, exception))
if self._default_plugin and not parser_mediator.abort:
try:
self._default_plugin.UpdateChainAndProcess(
parser_mediator, root_item=root_item)
except Exception as exception: # pylint: disable=broad-except
parser_mediator.ProduceExtractionWarning((
'plugin: {0:s} unable to parse OLECF file with error: '
'{1!s}').format(self._default_plugin.NAME, exception))
finally:
olecf_file.close()
def pyolecf_test_multi_open_close_file(filename, mode):
"""Tests multiple open and close."""
description = (
"Testing multi open close of: {0:s} with access: {1:s}"
"\t").format(get_filename_string(filename), get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
olecf_file = pyolecf.file()
olecf_file.open(filename, mode)
olecf_file.close()
olecf_file.open(filename, mode)
olecf_file.close()
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def pyolecf_test_single_open_close_file_object_with_dereference(
filename, mode):
"""Tests single file-like object open and close with dereference."""
description = (
"Testing single open close of file-like object with dereference of: "
"{0:s} with access: {1:s}\t").format(get_filename_string(filename),
get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
file_object = open(filename, "rb")
olecf_file = pyolecf.file()
olecf_file.open_file_object(file_object, mode)
del file_object
olecf_file.close()
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def _enum_link_files(self):
olecf_file = None
if pyolecf.check_file_signature_file_object(self.file_io):
olecf_file = pyolecf.file()
olecf_file.open_file_object(self.file_io)
dest_list_item = olecf_file.root_item.get_sub_item_by_name(
'DestList')
data_size = dest_list_item.get_size()
raw_data = dest_list_item.read(data_size)
dest_list = DestList(raw_data)
for entry in dest_list:
item_name = hex(entry.entry_number)[2:]
link_item = olecf_file.root_item.get_sub_item_by_name(
item_name)
data_size = link_item.get_size()
raw_data = link_item.read(data_size)
byte_io = io.BytesIO(raw_data)
lnk_parser = LnkParser(byte_io,
"{} [{}]".format(
self.source_description, item_name),
jmp_info=entry.as_dict())
self.lnk_files.append(lnk_parser)
else:
logging.debug("{} does not have valid olecf signature.".format(
self.source_description))
def test_close(self):
"""Tests the close function."""
if not unittest.source:
return
olecf_file = pyolecf.file()
with self.assertRaises(IOError):
olecf_file.close()
def extractOleFile(file_name,destination):
olecf_file = pyolecf.file()
olecf_file.open(file_name)
root = olecf_file.get_root_item()
for x in range(0, root.get_number_of_sub_items()):
sub_item = root.get_sub_item(x)
if sub_item.get_name() == "CONTENTS":
extractOleItem(item=sub_item, path=destination)
olecf_file.close()
def test_close(self):
"""Tests the close function."""
if not unittest.source:
raise unittest.SkipTest("missing source")
olecf_file = pyolecf.file()
with self.assertRaises(IOError):
olecf_file.close()
def main( argc, argv ): result = 0 if argc != 1: print "Usage: pyolecf_test_set_ascii_codepage.py\n" return 1 supported_codepages = [ "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250", "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258" ] unsupported_codepages = [ "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5", "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10", "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15", "iso-8859-16", "koi8_r", "koi8_u" ] olecf_file = pyolecf.file() for codepage in supported_codepages: print "Testing setting supported ASCII codepage of: %s:\t" %( codepage ), try: olecf_file.ascii_codepage = codepage result = 0 except: result = 1 if result != 0: print "(FAIL)" return 1 print "(PASS)" print "Testing setting supported ASCII codepage of: %s:\t" %( codepage ), try: olecf_file.set_ascii_codepage( codepage ) result = 0 except: result = 1 if result != 0: print "(FAIL)" return 1 print "(PASS)" for codepage in unsupported_codepages: print "Testing setting unsupported ASCII codepage of: %s:\t" %( codepage ), result = 1 try: olecf_file.ascii_codepage = codepage except RuntimeError, exception: if exception.message == "pyolecf_file_set_ascii_codepage_from_string: unable to determine ASCII codepage.": result = 0 except:
def Parse(self, file_entry):
"""Extracts data from an OLE Compound File (OLECF).
Args:
file_entry: A file entry object.
Yields:
Event objects (EventObject) that contains the parsed
attributes.
"""
file_object = file_entry.GetFileObject()
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(self._codepage)
try:
olecf_file.open_file_object(file_object)
except IOError as exception:
raise errors.UnableToParseFile(
u'[{0:s}] unable to parse file {1:s}: {2:s}'.format(
self.parser_name, file_entry.name, exception))
# Get a list of all root items from the OLE CF file.
root_item = olecf_file.root_item
item_names = [item.name for item in root_item.sub_items]
# Compare the list of available plugins.
# We will try to use every plugin against the file (except
# the default plugin) and run it. Only if none of the plugins
# works will we use the default plugin.
parsed = False
for olecf_name, olecf_plugin in self._plugins.iteritems():
# We would like to skip the default plugin for now.
if olecf_name == 'olecf_default':
continue
try:
for event_object in olecf_plugin.Process(
root_item=root_item, item_names=item_names):
parsed = True
event_object.plugin = olecf_plugin.plugin_name
yield event_object
except errors.WrongPlugin:
logging.debug(
u'[{0:s}] plugin: {1:s} cannot parse the OLECF file: {2:s}'.format(
self.parser_name, olecf_plugin.plugin_name, file_entry.name))
# Check if we still haven't parsed the file, and if so we will use
# the default OLECF plugin.
if not parsed:
default_plugin = self._plugins.get('olecf_default', None)
if default_plugin:
for event_object in default_plugin.Process(
root_item=root_item, item_names=item_names):
event_object.plugin = default_plugin.plugin_name
yield event_object
file_object.close()
def _ParseOLECFFileWithPlugin(self,
path_segments,
plugin,
codepage='cp1252',
knowledge_base_values=None):
"""Parses a file as an OLE compound file and returns an event generator.
Args:
path_segments (list[str]): path segments inside the test data directory.
plugin (OLECFPlugin): OLE CF plugin.
codepage (Optional[str]): codepage.
knowledge_base_values (Optional[dict[str, object]]): knowledge base
values.
Returns:
FakeStorageWriter: storage writer.
Raises:
SkipTest: if the path inside the test data directory does not exist and
the test should be skipped.
"""
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter(session)
storage_writer.Open()
file_entry = self._GetTestFileEntry(path_segments)
parser_mediator = self._CreateParserMediator(
storage_writer,
file_entry=file_entry,
knowledge_base_values=knowledge_base_values)
file_object = file_entry.GetFileObject()
try:
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(codepage)
olecf_file.open_file_object(file_object)
# Get a list of all root items from the OLE CF file.
root_item = olecf_file.root_item
item_names = [item.name for item in root_item.sub_items]
plugin.Process(parser_mediator,
root_item=root_item,
item_names=item_names)
olecf_file.close()
finally:
file_object.close()
return storage_writer
def _OpenOleCfFile(self, path, codepage='cp1252'):
"""Opens an OLE compound file and returns back a pyolecf.file object."""
path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=path)
file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec)
file_object = file_entry.GetFileObject()
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(codepage)
olecf_file.open_file_object(file_object)
return olecf_file
def Parse(self, parser_context, file_entry):
"""Extracts data from an OLE Compound File (OLECF).
Args:
parser_context: A parser context object (instance of ParserContext).
file_entry: A file entry object (instance of dfvfs.FileEntry).
Yields:
Event objects (EventObject) that contains the parsed
attributes.
"""
file_object = file_entry.GetFileObject()
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(parser_context.codepage)
try:
olecf_file.open_file_object(file_object)
except IOError as exception:
raise errors.UnableToParseFile(
u'[{0:s}] unable to parse file {1:s}: {2:s}'.format(
self.NAME, file_entry.name, exception))
# Get a list of all root items from the OLE CF file.
root_item = olecf_file.root_item
item_names = [item.name for item in root_item.sub_items]
# Compare the list of available plugins.
# We will try to use every plugin against the file (except
# the default plugin) and run it. Only if none of the plugins
# works will we use the default plugin.
parsed = False
for plugin_object in self._plugins:
try:
plugin_object.Process(
parser_context, file_entry=file_entry, root_item=root_item,
item_names=item_names)
except errors.WrongPlugin:
logging.debug(
u'[{0:s}] plugin: {1:s} cannot parse the OLECF file: {2:s}'.format(
self.NAME, plugin_object.NAME, file_entry.name))
# Check if we still haven't parsed the file, and if so we will use
# the default OLECF plugin.
if not parsed and self._default_plugin:
self._default_plugin.Process(
parser_context, file_entry=file_entry, root_item=root_item,
item_names=item_names)
olecf_file.close()
file_object.close()
def test_get_root_item(self):
"""Tests the get_root_item function and root_item property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
olecf_file = pyolecf.file()
olecf_file.open(unittest.source)
_ = olecf_file.get_root_item()
_ = olecf_file.root_item
olecf_file.close()
def pyolecf_test_single_open_close_file(filename, mode):
"""Tests a single open and close."""
description = (
"Testing single open close of: {0:s} with access: {1:s}"
"\t").format(get_filename_string(filename), get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
olecf_file = pyolecf.file()
olecf_file.open(filename, mode)
olecf_file.close()
except TypeError as exception:
expected_message = (
"{0:s}: unsupported string object type.").format(
"pyolecf_file_open")
if not filename and str(exception) == expected_message:
pass
else:
error_string = str(exception)
result = False
except ValueError as exception:
expected_message = (
"{0:s}: unsupported mode: w.").format(
"pyolecf_file_open")
if mode != "w" or str(exception) != expected_message:
error_string = str(exception)
result = False
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def test_get_short_sector_size(self):
"""Tests the get_short_sector_size function and short_sector_size property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
olecf_file = pyolecf.file()
olecf_file.open(unittest.source)
short_sector_size = olecf_file.get_short_sector_size()
self.assertIsNotNone(short_sector_size)
self.assertIsNotNone(olecf_file.short_sector_size)
olecf_file.close()
def test_get_ascii_codepage(self):
"""Tests the get_ascii_codepage function and ascii_codepage property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
olecf_file = pyolecf.file()
olecf_file.open(unittest.source)
ascii_codepage = olecf_file.get_ascii_codepage()
self.assertIsNotNone(ascii_codepage)
self.assertIsNotNone(olecf_file.ascii_codepage)
olecf_file.close()
def ParseFileObject(self, parser_mediator, file_object, **kwargs):
"""Parses an OLE Compound File (OLECF) file-like object.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
file_object: A file-like object.
"""
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(parser_mediator.codepage)
try:
olecf_file.open_file_object(file_object)
except IOError as exception:
parser_mediator.ProduceParseError(
u'unable to open file with error: {0:s}'.format(exception))
return
root_item = olecf_file.root_item
if not root_item:
return
# Get a list of all items in the root item from the OLE CF file.
item_names = [item.name for item in root_item.sub_items]
# Compare the list of available plugins.
# We will try to use every plugin against the file (except
# the default plugin) and run it. Only if none of the plugins
# works will we use the default plugin.
parsed = False
for plugin_object in self._plugins:
try:
plugin_object.UpdateChainAndProcess(parser_mediator,
root_item=root_item,
item_names=item_names)
except errors.WrongPlugin:
logging.debug(
u'[{0:s}] plugin: {1:s} cannot parse the OLECF file: {2:s}'
.format(self.NAME, plugin_object.NAME,
parser_mediator.GetDisplayName()))
# Check if we still haven't parsed the file, and if so we will use
# the default OLECF plugin.
if not parsed and self._default_plugin:
self._default_plugin.UpdateChainAndProcess(parser_mediator,
root_item=root_item,
item_names=item_names)
olecf_file.close()
def _ParseOLECFFileWithPlugin(self,
path_segments,
plugin,
codepage=u'cp1252',
knowledge_base_values=None):
"""Parses a file as an OLE compound file and returns an event generator.
Args:
path_segments: a list of strings containinge the path segments inside
plugin: an OLE CF plugin object (instance of OLECFPlugin).
codepage: optional string containing the codepage.
knowledge_base_values: optional dictionary containing the knowledge base
values.
Returns:
A storage writer object (instance of FakeStorageWriter).
"""
session = sessions.Session()
storage_writer = fake_storage.FakeStorageWriter(session)
storage_writer.Open()
file_entry = self._GetTestFileEntry(path_segments)
parser_mediator = self._CreateParserMediator(
storage_writer,
file_entry=file_entry,
knowledge_base_values=knowledge_base_values)
file_object = file_entry.GetFileObject()
try:
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(codepage)
olecf_file.open_file_object(file_object)
# Get a list of all root items from the OLE CF file.
root_item = olecf_file.root_item
item_names = [item.name for item in root_item.sub_items]
plugin.Process(parser_mediator,
root_item=root_item,
item_names=item_names)
olecf_file.close()
finally:
file_object.close()
return storage_writer
def _OpenOleCfFile(self, path, codepage=u'cp1252'):
"""Opens an OLE compound file and returns back a pyolecf.file object.
Args:
path: The path to the OLE CF test file.
codepage: Optional codepage.
"""
file_entry = self._GetTestFileEntryFromPath([path])
file_object = file_entry.GetFileObject()
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(codepage)
olecf_file.open_file_object(file_object)
return olecf_file
def _OpenOleCfFile(self, path, codepage=u'cp1252'):
"""Opens an OLE compound file and returns back a pyolecf.file object.
Args:
path: The path to the OLE CF test file.
codepage: Optional codepage. The default is cp1252.
"""
file_entry = self._GetTestFileEntryFromPath([path])
file_object = file_entry.GetFileObject()
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(codepage)
olecf_file.open_file_object(file_object)
return olecf_file
def testReadDestList(self):
"""Tests the _ReadDestList function."""
output_writer = test_lib.TestOutputWriter()
test_file = jump_list.AutomaticDestinationsFile(output_writer=output_writer)
test_file_path = self._GetTestFilePath([
'1b4dd67f29cb1962.automaticDestinations-ms'])
with open(test_file_path, 'rb') as file_object:
olecf_file = pyolecf.file()
olecf_file.open_file_object(file_object)
try:
test_file._ReadDestList(olecf_file)
finally:
olecf_file.close()
def pyolecf_test_single_open_close_file(filename, mode):
"""Tests a single open and close."""
description = ("Testing single open close of: {0:s} with access: {1:s}"
"\t").format(get_filename_string(filename),
get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
olecf_file = pyolecf.file()
olecf_file.open(filename, mode)
olecf_file.close()
except TypeError as exception:
expected_message = ("{0:s}: unsupported string object type."
).format("pyolecf_file_open")
if not filename and str(exception) == expected_message:
pass
else:
error_string = str(exception)
result = False
except ValueError as exception:
expected_message = (
"{0:s}: unsupported mode: w.").format("pyolecf_file_open")
if mode != "w" or str(exception) != expected_message:
error_string = str(exception)
result = False
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def pyolecf_test_single_open_close_file_object(filename, mode):
print ("Testing single open close of file-like object of: {0:s} with access: "
"{1:s}\t").format(filename, get_mode_string(mode))
try:
file_object = open(filename, mode)
olecf_file = pyolecf.file()
olecf_file.open_file_object(file_object, mode)
olecf_file.close()
except:
print "(FAIL)"
return False
print "(PASS)"
return True
def __init__(self, debug=False):
"""Initializes the .automaticDestinations-ms file object.
Args:
debug: optional boolean value to indicate if debug information should
be printed.
"""
super(AutomaticDestinationsFile, self).__init__()
self._debug = debug
self._format_version = None
self._file_object = None
self._file_object_opened_in_object = False
self._file_size = 0
self._olecf_file = pyolecf.file()
self.entries = []
self.recovered_entries = []
def __init__(self, debug=False):
"""Initializes the .automaticDestinations-ms file object.
Args:
debug: optional boolean value to indicate if debug information should
be printed.
"""
super(AutomaticDestinationsFile, self).__init__()
self._debug = debug
self._format_version = None
self._file_object = None
self._file_object_opened_in_object = False
self._file_size = 0
self._olecf_file = pyolecf.file()
self.entries = []
self.recovered_entries = []
def ParseFileObject(self, parser_mediator, file_object, **kwargs):
"""Parses an OLE Compound File (OLECF) file-like object.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
file_object: A file-like object.
Raises:
UnableToParseFile: when the file cannot be parsed.
"""
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(parser_mediator.codepage)
try:
olecf_file.open_file_object(file_object)
except IOError as exception:
raise errors.UnableToParseFile(
u'[{0:s}] unable to parse file {1:s}: {2:s}'.format(
self.NAME, parser_mediator.GetDisplayName(), exception))
# Get a list of all root items from the OLE CF file.
root_item = olecf_file.root_item
item_names = [item.name for item in root_item.sub_items]
# Compare the list of available plugins.
# We will try to use every plugin against the file (except
# the default plugin) and run it. Only if none of the plugins
# works will we use the default plugin.
parsed = False
for plugin_object in self._plugins:
try:
plugin_object.UpdateChainAndProcess(
parser_mediator, root_item=root_item, item_names=item_names)
except errors.WrongPlugin:
logging.debug(
u'[{0:s}] plugin: {1:s} cannot parse the OLECF file: {2:s}'.format(
self.NAME, plugin_object.NAME,
parser_mediator.GetDisplayName()))
# Check if we still haven't parsed the file, and if so we will use
# the default OLECF plugin.
if not parsed and self._default_plugin:
self._default_plugin.UpdateChainAndProcess(
parser_mediator, root_item=root_item, item_names=item_names)
olecf_file.close()
def ParseFileObject(self, parser_mediator, file_object, **kwargs):
"""Parses an OLE Compound File (OLECF) file-like object.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
file_object: A file-like object.
"""
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(parser_mediator.codepage)
try:
olecf_file.open_file_object(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionError(
u'unable to open file with error: {0:s}'.format(exception))
return
root_item = olecf_file.root_item
if not root_item:
return
# Get a list of all items in the root item from the OLECF file.
item_names = [item.name for item in root_item.sub_items]
# Compare the list of available plugin objects.
# We will try to use every plugin against the file (except
# the default plugin) and run it. Only if none of the plugins
# works will we use the default plugin.
# TODO: add a parser filter.
for plugin_object in self._plugin_objects:
try:
plugin_object.UpdateChainAndProcess(
parser_mediator, root_item=root_item, item_names=item_names)
except errors.WrongPlugin:
logging.debug(
u'[{0:s}] plugin: {1:s} cannot parse the OLECF file: {2:s}'.format(
self.NAME, plugin_object.NAME,
parser_mediator.GetDisplayName()))
if self._default_plugin:
self._default_plugin.UpdateChainAndProcess(
parser_mediator, root_item=root_item, item_names=item_names)
olecf_file.close()
def ReadFileObject(self, file_object):
"""Reads an Automatic Destinations Jump List file-like object.
Args:
file_object (file): file-like object.
Raises:
ParseError: if the file cannot be read.
"""
olecf_file = pyolecf.file()
olecf_file.open_file_object(file_object)
try:
self._ReadDestList(olecf_file)
self._ReadLNKFiles(olecf_file)
finally:
olecf_file.close()
def pyolecf_test_multi_open_close_file(filename, mode):
print "Testing multi open close of: {0:s} with access: {1:s}\t".format(
filename, get_mode_string(mode))
try:
olecf_file = pyolecf.file()
olecf_file.open(filename, mode)
olecf_file.close()
olecf_file.open(filename, mode)
olecf_file.close()
except:
print "(FAIL)"
return False
print "(PASS)"
return True
def parse_Compound_File(file_to_parse):
file_object = open(file_to_parse, "rb")
olecf_file = pyolecf.file()
olecf_file.open_file_object(file_object)
SQLitedb.CreateTempTable(table_name + '_temp', table_columns)
root_item = olecf_file.get_root_item()
#print ("Root Item Name ==> " + root_item.get_name())
#print ("Number of Sub_Items ==> " + str(root_item.get_number_of_sub_items()))
Base_Name = ntpath.basename(file_to_parse)
(File_Name, Extension) = ntpath.splitext(Base_Name)
if (App_Id.CheckAppId(File_Name)):
App_Id_Desc = App_Id.SelectAppId(File_Name)[0]
#print ("App id => " + App_Id.SelectAppId(File_Name)[0])
else:
App_Id_Desc = File_Name
#print ("File Name => " + File_Name)
for i in range (0, root_item.get_number_of_sub_items()):
jl_record = []
jl_record.append(File_Name)
jl_record.append(App_Id_Desc)
new_item = root_item.get_sub_item(i)
jl_record.append(new_item.get_name())
#print (" Sub Item Name ==> " + new_item.get_name())
#print (" Sub Item Sub Items ==> " + str(new_item.get_number_of_sub_items()))
if new_item.get_name() == u'DestList':
continue
new_link_item = pylnk.file()
new_link_item.open_file_object(new_item)
jl_record = Create_Bind_Values(jl_record, new_link_item)
try:
SQLitedb.InsertBindValues(table_name + '_temp', sql_ins_columns, sql_bind, jl_record)
except:
print ("Error in Link Item ==> " + str(jl_record[1]) + " <==> " + str(jl_record[2]))
if (SQLitedb.TableExists(table_name)):
SQLitedb.AppendTempToPermanentTable(table_name)
else:
SQLitedb.CreatePermanentTable(table_name)
SQLitedb.DropTable(table_name + '_temp')
def _ParseOLECFFileWithPlugin(
self, path_segments, plugin, codepage='cp1252',
knowledge_base_values=None):
"""Parses a file as an OLE compound file and returns an event generator.
Args:
path_segments (list[str]): path segments inside the test data directory.
plugin (OLECFPlugin): OLE CF plugin.
codepage (Optional[str]): codepage.
knowledge_base_values (Optional[dict[str, object]]): knowledge base
values.
Returns:
FakeStorageWriter: storage writer.
"""
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter(session)
storage_writer.Open()
file_entry = self._GetTestFileEntry(path_segments)
parser_mediator = self._CreateParserMediator(
storage_writer, file_entry=file_entry,
knowledge_base_values=knowledge_base_values)
file_object = file_entry.GetFileObject()
try:
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(codepage)
olecf_file.open_file_object(file_object)
# Get a list of all root items from the OLE CF file.
root_item = olecf_file.root_item
item_names = [item.name for item in root_item.sub_items]
plugin.Process(
parser_mediator, root_item=root_item, item_names=item_names)
olecf_file.close()
finally:
file_object.close()
return storage_writer
def _ParseOleCfFileWithPlugin(
self, path_segments, plugin_object, codepage=u'cp1252',
knowledge_base_values=None):
"""Parses a file as an OLE compound file and returns an event generator.
Args:
path_segments: a list of strings containinge the path segments inside
plugin_object: an OLE CF plugin object (instance of OleCfPlugin).
codepage: optional string containing the codepage.
knowledge_base_values: optional dictionary containing the knowledge base
values.
Returns:
A storage writer object (instance of FakeStorageWriter).
"""
session = sessions.Session()
storage_writer = fake_storage.FakeStorageWriter(session)
storage_writer.Open()
file_entry = self._GetTestFileEntryFromPath(path_segments)
parser_mediator = self._CreateParserMediator(
storage_writer, file_entry=file_entry,
knowledge_base_values=knowledge_base_values)
file_object = file_entry.GetFileObject()
try:
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(codepage)
olecf_file.open_file_object(file_object)
# Get a list of all root items from the OLE CF file.
root_item = olecf_file.root_item
item_names = [item.name for item in root_item.sub_items]
plugin_object.Process(
parser_mediator, root_item=root_item, item_names=item_names)
olecf_file.close()
finally:
file_object.close()
return storage_writer
def test_open(self):
"""Tests the open function."""
if not unittest.source:
return
olecf_file = pyolecf.file()
olecf_file.open(unittest.source)
with self.assertRaises(IOError):
olecf_file.open(unittest.source)
olecf_file.close()
with self.assertRaises(TypeError):
olecf_file.open(None)
with self.assertRaises(ValueError):
olecf_file.open(unittest.source, mode="w")
def test_set_ascii_codepage(self):
"""Tests the set_ascii_codepage function."""
supported_codepages = (
"ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250",
"cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257",
"cp1258")
olecf_file = pyolecf.file()
for codepage in supported_codepages:
olecf_file.set_ascii_codepage(codepage)
unsupported_codepages = (
"iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5",
"iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10",
"iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15",
"iso-8859-16", "koi8_r", "koi8_u")
for codepage in unsupported_codepages:
with self.assertRaises(RuntimeError):
olecf_file.set_ascii_codepage(codepage)
def test_open_file_object(self):
"""Tests the open_file_object function."""
if not unittest.source:
return
file_object = open(unittest.source, "rb")
olecf_file = pyolecf.file()
olecf_file.open_file_object(file_object)
with self.assertRaises(IOError):
olecf_file.open_file_object(file_object)
olecf_file.close()
# TODO: change IOError into TypeError
with self.assertRaises(IOError):
olecf_file.open_file_object(None)
with self.assertRaises(ValueError):
olecf_file.open_file_object(file_object, mode="w")
def pyolecf_test_single_open_close_file(filename, mode):
if not filename:
filename_string = "None"
else:
filename_string = filename
print "Testing single open close of: {0:s} with access: {1:s}\t".format(
filename_string, get_mode_string(mode))
try:
olecf_file = pyolecf.file()
olecf_file.open(filename, mode)
olecf_file.close()
except TypeError, exception:
if (not filename and
exception.message == "pyolecf_file_open: unsupported string object type."):
pass
else:
print "(FAIL)"
return False
def test_open_file_object(self):
"""Tests the open_file_object function."""
if not unittest.source:
raise unittest.SkipTest("missing source")
if not os.path.isfile(unittest.source):
raise unittest.SkipTest("source not a regular file")
olecf_file = pyolecf.file()
with open(unittest.source, "rb") as file_object:
olecf_file.open_file_object(file_object)
with self.assertRaises(IOError):
olecf_file.open_file_object(file_object)
olecf_file.close()
with self.assertRaises(TypeError):
olecf_file.open_file_object(None)
with self.assertRaises(ValueError):
olecf_file.open_file_object(file_object, mode="w")
def main():
supported_codepages = [
"ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250",
"cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257",
"cp1258"]
unsupported_codepages = [
"iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5",
"iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10",
"iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15",
"iso-8859-16", "koi8_r", "koi8_u"]
olecf_file = pyolecf.file()
result = True
for codepage in supported_codepages:
print("Testing setting supported ASCII codepage of: {0:s}:\t".format(
codepage)),
try:
olecf_file.ascii_codepage = codepage
result = True
except:
result = False
if not result:
print("(FAIL)")
return False
print("(PASS)")
print("Testing setting supported ASCII codepage of: {0:s}:\t".format(
codepage)),
try:
olecf_file.set_ascii_codepage(codepage)
result = True
except:
result = False
if not result:
print("(FAIL)")
return False
print("(PASS)")
for codepage in unsupported_codepages:
print("Testing setting unsupported ASCII codepage of: {0:s}:\t".format(
codepage)),
result = False
try:
olecf_file.ascii_codepage = codepage
except RuntimeError as exception:
expected_message = (
"{0:s}: unable to determine ASCII codepage.").format(
"pyolecf_file_set_ascii_codepage_from_string")
if str(exception) == expected_message:
result = True
except:
pass
if not result:
print("(FAIL)")
return False
print("(PASS)")
print("Testing setting unsupported ASCII codepage of: {0:s}:\t".format(
codepage)),
result = False
try:
olecf_file.set_ascii_codepage(codepage)
except RuntimeError as exception:
expected_message = (
"{0:s}: unable to determine ASCII codepage.").format(
"pyolecf_file_set_ascii_codepage_from_string")
if str(exception) == expected_message:
result = True
except:
pass
if not result:
print("(FAIL)")
return False
print("(PASS)")
return True
def main():
supported_codepages = [
"ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250",
"cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257",
"cp1258"]
unsupported_codepages = [
"iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5",
"iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10",
"iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15",
"iso-8859-16", "koi8_r", "koi8_u"]
olecf_file = pyolecf.file()
result = True
for codepage in supported_codepages:
print("Testing setting supported ASCII codepage of: {0:s}:\t".format(
codepage)),
try:
olecf_file.ascii_codepage = codepage
result = True
except:
result = False
if not result:
print("(FAIL)")
return False
print("(PASS)")
print("Testing setting supported ASCII codepage of: {0:s}:\t".format(
codepage)),
try:
olecf_file.set_ascii_codepage(codepage)
result = True
except:
result = False
if not result:
print("(FAIL)")
return False
print("(PASS)")
for codepage in unsupported_codepages:
print("Testing setting unsupported ASCII codepage of: {0:s}:\t".format(
codepage)),
result = False
try:
olecf_file.ascii_codepage = codepage
except RuntimeError as exception:
expected_message = (
"{0:s}: unable to determine ASCII codepage.").format(
"pyolecf_file_set_ascii_codepage_from_string")
if str(exception) == expected_message:
result = True
except:
pass
if not result:
print("(FAIL)")
return False
print("(PASS)")
print("Testing setting unsupported ASCII codepage of: {0:s}:\t".format(
codepage)),
result = False
try:
olecf_file.set_ascii_codepage(codepage)
except RuntimeError as exception:
expected_message = (
"{0:s}: unable to determine ASCII codepage.").format(
"pyolecf_file_set_ascii_codepage_from_string")
if str(exception) == expected_message:
result = True
except:
pass
if not result:
print("(FAIL)")
return False
print("(PASS)")
return True
def ParseFileObject(self, parser_mediator, file_object):
"""Parses an OLE Compound File (OLECF) file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO): file-like object.
"""
self.IJBsaveFile(file_object)
ijb_ret = self.IJBParserRecords(file_object)
if ijb_ret is not "NO TYPE":
date_time = dfdatetime_semantic_time.SemanticTime('Not set')
for ret in ijb_ret:
if ret:
event_data = WinThumbnailExecutionEventData()
event_data.thumbs_info = ret
event_data.thumbs_sha1 = self.GetSHA1(ret)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_NOT_A_TIME)
parser_mediator.ProduceEventWithEventData(
event, event_data)
return
else:
olecf_file = pyolecf.file()
olecf_file.set_ascii_codepage(parser_mediator.codepage)
try:
olecf_file.open_file_object(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionError(
'unable to open file with error: {0!s}'.format(exception))
return
root_item = olecf_file.root_item
if not root_item:
return
# Get a list of all items in the root item from the OLECF file.
item_names = [item.name for item in root_item.sub_items]
# Compare the list of available plugin objects.
# We will try to use every plugin against the file (except
# the default plugin) and run it. Only if none of the plugins
# works will we use the default plugin.
item_names = frozenset(item_names)
try:
for plugin in self._plugins:
if parser_mediator.abort:
break
if not plugin.REQUIRED_ITEMS.issubset(item_names):
continue
try:
plugin.UpdateChainAndProcess(parser_mediator,
root_item=root_item)
except Exception as exception: # pylint: disable=broad-except
parser_mediator.ProduceExtractionError((
'plugin: {0:s} unable to parse OLECF file with error: '
'{1!s}').format(plugin.NAME, exception))
if self._default_plugin and not parser_mediator.abort:
try:
self._default_plugin.UpdateChainAndProcess(
parser_mediator, root_item=root_item)
except Exception as exception: # pylint: disable=broad-except
parser_mediator.ProduceExtractionError((
'plugin: {0:s} unable to parse OLECF file with error: '
'{1!s}').format(self._default_plugin.NAME,
exception))
finally:
olecf_file.close()
def test_signal_abort(self):
"""Tests the signal_abort function."""
olecf_file = pyolecf.file()
olecf_file.signal_abort()
